Configuring certificate-based authentication

User Management usually performs authentication by using a user name and password. User Management also supports certificate-based authentication, which you can use to authenticate users through Acrobat or to authenticate users programmatically. For details about authenticating users programmatically, see Programming with AEM forms.

To use certificate-based authentication, import a Certificate Authority (CA) certificate that you trust into the Trust Store and then create a certificate mapping.

Import the CA certificate

When importing the certificate, select the Trust for Certificate
Authentication and Trust for Identity options, and any other options
that you require. For details about importing certificates, see Managing
certificates.

Configuring certificate mapping

To enable certificate-based authentication for users, create
a certificate mapping. A certificate mapping defines a map
between a certificate’s attributes and the attributes of users in
a domain. You can map more than one certificate to the same domain.

When you test a certificate, User Management uploads the certificate
checks to ensure that it meets the following requirements:

The certificate is valid.

The Issuer you specified can verify the certificate.

The certificate contains the attribute required for mapping.

The mapping you specified maps the certificate to only one
user in the AEM forms database. Both current and obsolete (deleted)
users are checked to determine whether they match the mapping criteria.
Therefore, the certificate test fails if more than one user, including
obsolete users, has the attribute value being considered.

Click New Certificate Mapping and, in the For Issuer list,
select the certificate alias as configured in Trust Store Management.

Map one of the certificate’s attributes to a user’s attribute.
For example, you can map the certificate’s common name to the user’s
login ID.

If the content of the attribute in the certificate
is different from the content in the user’s attribute in the User
Management database, you can use a Java Regular Expression (regex)
to match the two attributes. For example, if the common names of
the certificates are names like Alex Pink (Authentication) and Alex Pink (Signing) and
the common name in the User Management database is Alex Pink,
you use a regex to extract the required part of the certificate
attribute (in this example, Alex Pink.) The regular expression
you specify must conform to the Java regex specification.

You
can transform the expression by specifying the order of the groups
in the Custom Order box. The custom order is used with the java.util.regex.Matcher.replaceAll() method.
The behavior that is seen will correspond to that method's behavior,
and the input string (the custom order) must be specified accordingly.

To
test the regex, enter a value in the Test Parameter box and click
Test.